5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
50.9%
In versions prior to v0.7.0 it was possible for an attacker to supply an invalid assertion which would trigger a panic due to a nil-pointer dereference.
The issue was patched in v0.7.0, released on March 2, 2022.
Callers to gosaml2
can use recover()
to handle panics to mitigate a potential DoS.
See issue #59 for details.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/russellhaering/goxmldsig | lt | 1.1.1 | |
github.com/russellhaering/gosaml2 | lt | 0.7.0 |
github.com/russellhaering/gosaml2
github.com/russellhaering/gosaml2/commit/66e3b7affd622b8b24ea1e18845f045e46b23424
github.com/russellhaering/gosaml2/issues/59
github.com/russellhaering/gosaml2/pull/90
github.com/russellhaering/gosaml2/releases/tag/v0.7.0
github.com/russellhaering/gosaml2/security/advisories/GHSA-prjq-f4q3-fvfr
github.com/russellhaering/goxmldsig/issues/48
snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUSSELLHAERINGGOSAML2-608302
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
50.9%